Session Ticket Authentication Scheme

ABSTRACT

A method of propagating a user&#39;s authentication/session information between different requests to Web services in a network includes a web server receiving a request for access to a first web service. The request is intercepted with an agent and authentication credentials are collected. A determination is made whether the web service customer is authenticated and authorized. If the web service customer is authenticated and authorized, a session and session ticket are created. An ID and the session ticket are returned to the web server. The session ticket ID and a public key are encrypted into an assertion. The assertion is sent to the first web service. The assertion is then returned to the web service customer for use with future requests. The assertion can be in the form of a SAML assertion.

RELATED APPLICATION

This application claims priority to, and the benefit of, co-pending U.S.Provisional Application No. 60/398,654, filed Jul. 26, 2002, for allsubject matter common to both applications. The disclosure of saidprovisional application is hereby incorporated by reference in itsentirety.

FIELD OF THE INVENTION

The present invention relates to an authentication scheme suitable fordetermining user access in a network, and more particularly to a systemand method for authentication and authorization of a user attempting toaccess Web services without repetitive re-authentication andre-authorization requirements, providing single sign-on functionality.

BACKGROUND OF THE INVENTION

Web services are a standardized way of integrating Web-basedapplications using various standard languages and interfacing technology(e.g., XML, SOAP, WSDL, and UDDI) available to the public over anInternet protocol backbone. The extensible markup language (XML) is usedto tag the data being sent or received. Tagging involves inserting acommand in a document that specifies how the document, or a portionthereof, should be formatted. Tags are utilized by all formatspecifications that store documents as text files. Simple Object AccessProtocol (SOAP) provides a way for applications to communicate with eachother over the Internet, regardless of platform. SOAP uses XML to definethe format of the information, and then adds the necessary HyperTextTransfer Protocol (HTTP) headers to send it to a destination. WebServices Description Language (WSDL) is an XML formatted language usedto describe the capabilities of a Web service as collections ofcommunication endpoints capable of exchanging messages. UniversalDescription, Discovery, and Integration (UDDI) is a Web-baseddistributed directory that enables businesses to list themselves on theInternet and discover each other, similar to a phone book for theInternet.

Web services are used primarily for businesses to communicate with eachother, and with clients, allowing organizations to communicate datawithout intimate knowledge of each other's information technologysystems behind firewalls. Firewalls are systems used to preventunauthorized access to or from private networks. Most often, firewallsare used to prevent Internet users from gaining unauthorized access to acompany's or individual's private computer network.

In addition, Web services allow different applications from differentsources to communicate with each other without specific coding. All Webservice communication occurs in the XML language, so Web services arenot tied to a specific operating system or programming language.Instead, Web services can communicate with, and facilitate communicationbetween, multiple different operating systems and languages.

Often, the many users of the Internet, including businesses and clients,have a need for sharing information or data in a secure environment. TheSecurity Assertions Markup Language (SAML) is an XML framework forexchanging security information between parties over the Internet orother distributed network. Many businesses are developing partnershipson the Web. As a result, there is an increase in user-initiatedtransactions in business-to-consumer scenarios, and XML initiatedtransactions in business-to-business scenarios. A transaction initiatedat one site can be completed at a different site, requiring securityinformation to be shared among the various Web sites involved in asingle transaction.

The basic SAML objects are assertions, such as authentication assertionsand authorization attributes (attributes that a service uses to makeauthorization decisions, such as an identifier, a group or role, orother user profile information). SAML assertions are submitted to, andgenerated by, trusted authorities using a request/response protocol.SAML assertions are embedded in transport and messaging frameworks. SAMLdefines a message format and protocol for distributing SAML data amongtrusted partners in a business relationship. SAML's message protocolsupports putting data assertions from an authoritative source to areceiver. This allows the exchange of event notifications between toparties in a trusted relationship.

Currently, there is no solution enabling one to propagate a user'sauthentication/session information between different requests to Webservices. The user must be authenticated each time he/she accesses a Webservice. The authentication process takes time, thus with each pause forauthentication, the user's interaction with the different Web servicesis made slower.

SUMMARY

The present invention is directed toward a method of propagating auser's authentication/session information between different requests toWeb services. In accordance with one embodiment of the presentinvention, in a network including at least one electronic device, amethod of authentication of a web service customer includes a web serverreceiving a request for access to a first web service. The request isintercepted with an agent and authentication credentials are collected.A determination is made whether the web service customer isauthenticated and authorized. If the web service customer isauthenticated and authorized, a session and session ticket are created.An ID and the session ticket are returned to the web server. The sessionticket ID and a public key are encrypted into an assertion. Theassertion is sent to the first web service. The assertion is returned tothe web service customer.

The method can further include the web service customer inserting theassertion, and a signature into a document. The web server can receive arequest for access to a second web service. The request can beintercepted with the agent and authentication credentials collected. Adetermination is made whether the assertion is valid. If the assertionis valid, a determination is made whether the web service customer isauthenticated. If the web service customer is authenticated, the webservice customer is granted access to the second web service.

In accordance with aspects of the present invention, the request can bein the form of a SAML assertion.

In accordance further with aspects of the present invention, receiving arequest can include the web server receiving a public key and a requestfor access to a web service. Intercepting the request can include an XMLagent intercepting the request and gathering authentication credentials.Determining whether the web service customer is authenticated andauthorized can include comparing the web service customer with adatabase containing authentication and authorization data.

In accordance with another embodiment of the present invention, in anetwork including at least one electronic device, a method ofauthentication of a web service customer includes the web servicecustomer inserting an assertion and a signature into a document. A webserver receives a request for access to a web service. The request isintercepted with an agent and authentication credentials are collected.A determination is made whether the assertion is valid. If the assertionis valid, a determination is made whether the web service customer isauthenticated. If the web service customer is authenticated, the webservice customer is granted access to the web service.

In accordance with another embodiment of the present invention, in anetwork including at least one electronic device, a method ofauthentication of a web service customer includes the web servicecustomer sending a request for access to a first web service. A webserver receives an encrypted assertion and public key for incorporationinto future requests. The web service customer is then granted access tothe first web service. The method can further include inserting theencrypted assertion and public key, and a signature, into a document,requesting access to a second web service, and being granted access tothe second web service.

In accordance with another embodiment of the present invention, in anetwork including at least one electronic device, a method ofauthentication of a web service customer includes a web server receivinga request for access to a first web service. The request is interceptedand authentication credentials are gathered. A determination is madewhether the web service customer is authenticated and authorized. If theweb service customer is authenticated and authorized, a session andsession ticket are created. An ID and the session ticket are thenreturned to the web server. The session ticket ID, a public key, and aprivate key are encrypted into an assertion. The assertion is sent to afirst web service.

The method can further include receiving a request from the first webservice for access to a second web service, intercepting the requestwith the agent and collecting authentication credentials, determiningwhether the assertion is valid, if the assertion is valid, determiningwhether the web service customer is authenticated, and if the webservice customer is authenticated, granting the first web service accessto the second web service.

In accordance with aspects of the present invention, receiving a requestcan include receiving an XML document without a public key. Interceptingthe request can include an XML agent intercepting the request andgathering authentication credentials. Determining whether the webservice customer is authenticated and authorized can include comparingthe web service customer with a database containing authentication andauthorization data.

In accordance with another embodiment of the present invention, in anetwork including at least one electronic device, a method ofauthentication of a source of a document includes a third partyreceiving a document from a previously authenticated first source. Thethird party forwards the document to a predetermined authenticationsystem responsible for previously authenticating the first source toauthenticate the source. The third party then receives an indication ofvalidation as to whether the document originated with the first source.

In accordance with aspects of the present invention, receiving adocument can include a web server receiving a public key and a requestfor access to a web service. Receiving a document can alternativelyinclude receiving an XML document without a public key. Thepredetermined authentication system can include an XML agentintercepting the request and gathering authentication credentials.Determining whether the document originated with the first source caninclude comparing the first source with a database containingauthentication and authorization data.

BRIEF DESCRIPTION OF THE DRAWINGS

The present invention will become better understood with reference tothe following description and accompanying drawings, wherein:

FIG. 1 is a diagrammatic illustration of an example network within whichthe present invention can operate;

FIG. 2A is a diagrammatic illustration of an authentication scheme,according to one aspect of the present invention;

FIG. 2B is a flow chart showing a series of steps in the authenticationscheme of FIG. 2A, according to one aspect of the present invention;

FIG. 2C is a flow chart showing a series of steps for subsequent accessin the authentication scheme of FIG. 2A, according to one aspect of thepresent invention;

FIG. 3A is a diagrammatic illustration of an authentication schemevariation, according to one aspect of the present invention;

FIG. 3B is a flow chart showing a series of steps in the authenticationscheme variation of FIG. 3A, according to one aspect of the presentinvention; and

FIG. 3C is a flow chart showing a series of steps for subsequent accessin the authentication scheme variation of FIG. 3A, according to oneaspect of the present invention.

DETAILED DESCRIPTION

An illustrative embodiment of the present invention relates to a SAMLsession ticket authentication scheme, which provides a mechanism forsingle sign-on across Web services hosted by the same policy server. Themechanism that enables single sign-on is an encrypted token embedded ina SAML assertion, which is a piece of data that contains a sessionticket and a public key. The SAML assertion is utilized by the SAMLsession ticket authentication scheme to verify there is a valid session,and to ensure the integrity of the signed XML document. By including thesession ticket and the public key in the assertion, a client can accessWeb services that share the same policy server without beingre-challenged for credentials. In accordance with the teachings of thepresent invention, the user can authenticate once, using any of thePolicy Server authentication schemes associated with the presentinvention, and a SAML assertion will be generated that binds the sessionticket with the user's public key, or a public key supplied by an Agent,such as the Netegrity Agent produced by Netegrity, Inc. of Waltham,Mass. This assertion can then be used for authentication on subsequentrequests to Web services in this domain.

Prior to discussing the invention, the following terms and phrases asutilized herein have the conventional industry definitions as summarizedbelow. These definitions are intended merely to serve as a quickreference in reading this disclosure, but do not limit theinterpretation of each term to only that which is provided in thedefinition. The following terms and phrases are to be interpreted inaccordance with convention in the industry:

“authentication”—This term generally refers to the process ofidentifying a user or client, typically with use of a name and password.

“authorization”—This term generally refers to the process of granting ordenying access to a network resource or application. Often, networksecurity systems utilize a two-step process. First is authentication,wherein a user identity is verified. Second is authorization, whichdetermines what applications or resources the user is permitted toaccess within the network or enterprise.

“non-repudiation”—This term generally refers to the assurance that atransferred message has been sent and received by the parties claimingto have sent and received the message. Non-repudiation is often realizedby use of digital signatures, confirmations services, and/or timestamps.

“Policy Server”—This term generally refers to the server within anetwork or enterprise system that controls the policies of the system,including access of information and clients to and from the system.

“public key”—This term is used in conjunction with a “private key” whendiscussing cryptographic systems. The public key is available toeveryone, while the private key is known only to the intended recipientof the message. The public key and private key are related, such thatonly the public key can be used to encrypt a message and only thecorresponding private key can be used to decrypt the message. When PartyA wants to send a secure message to Party B, Party A encrypts themessage using Party B's public key, and Party B can then decrypt usingthe private key.

“secure sockets layer (SSL)”—This term generally refers to a protocoldeveloped for transmitting private documents via the Internet. SSL usesa public key to encrypt data transferred over the SSL connection.

“session ticket”—This term generally refers to a ticket containinggeneral information about a user and that user's authenticationinformation. The session ticket is used to identify the user's sessionacross all sites in a single sign-on environment.

“single sign-on”—This term generally refers to an authentication processin a client/server relationship, where the user (or client) can enter asingle name and password. The single entry of name and password enablesthe user to gain access to more than one application or resource withinan enterprise, without repeatedly entering names and passwords forauthentication purposes.

FIGS. 1 through 3C, wherein like parts are designated by like referencenumerals throughout, illustrate example embodiments of an authenticationand authorization scheme according to the present invention. Althoughthe present invention will be described with reference to the exampleembodiments illustrated in the figures, it should be understood thatmany alternative forms can embody the present invention. One of ordinaryskill in the art will additionally appreciate different ways to alterthe parameters of the embodiments disclosed, in a manner still inkeeping with the spirit and scope of the present invention.

As stated previously, the SAML session ticket authentication scheme inaccordance with the teachings of the present invention provides amechanism for single sign-on across multiple Web services hosted by thesame Policy Server. The mechanism that enables single sign-on is a SAMLassertion containing an encrypted token that is comprised of a sessionticket and a public key. The SAML session ticket authentication schemeutilizes the SAML assertion to verify that there is a valid session, andto ensure the integrity of the signed XML document (i.e., to ensure thatthe XML document was signed by the same party that obtained the validsingle sign-on session).

For an assertion to be generated, the Policy Server first mustauthenticate and authorize the client. The authorizing policy must havea response configured with it that issues SAML response data. The XMLAgent utilizes the response data to generate the assertion. Theassertion passes to clients who then use the assertion to gain access toWeb services protected by the SAML session ticket authentication scheme.The SAML response can be configured to place the assertion within a SOAPdocument or in an HTTP header separate from the XML document.

In accordance with one example embodiment, the SAML session ticketauthentication scheme works in conjunction with a proxy authenticationservice model. A proxy authentication service is a configuration inwhich there is only one authentication service responsible forauthenticating clients. The authentication verifies the client identity,and then returns a SAML assertion that the client can use for subsequentrequests without re-authenticating.

When a client makes a request for a Web service, the client must obtainthe assertion from the authentication service, which is protected by anXML Agent. The assertion can be obtained using any secure method ofauthentication, including a signed XML document. The initial requestmust also provide a public key to the XML Agent, which can beaccomplished by inserting the public key into the XML document, orobtaining the public key from a Policy Server user directory.

After client authentication, the client enters the authorizationprocess. If the client successfully completes the authorization processwith one or more authorization, the XML Agent responds with a SAMLassertion containing a session ticket and the client's public key, boundtogether by encryption.

The authentication service passes the assertion to the client forsubsequent Web service requests. The client does not get challengedagain by other Web services hosted by the same Policy Server because therequesting SOAP document contains the assertion and the XML document.The client must, however, sign each XML document request using itsprivate key associated with the public key provided duringauthentication.

FIG. 1 illustrates an example network configuration upon which thepresent invention can operate. A web service consumer 110 cancommunicate with a mainframe 122 or other destination through a network120, such as the Internet. The web service consumer 110 and mainframe122 are representative of a number of different electronic devices.Electronic devices suitable for practicing the illustrative embodimentsof the present invention are representative of a number of differenttechnologies, such as mainframe computers, servers, personal computers(PCs), laptop computers, workstations, personal digital assistants(PDAs), Internet appliances, mobile telephones, card readers, and thelike. Electronic devices include some form of a central processing unit(CPU), or processing device, and may include a display device. Thedisplay device allows an electronic device to communicate directly witha user through a visual display. The electronic device may also includeinput devices such as a keyboard, mouse, stylus, trackball, joystick,touch pad, touch screen, and the like. The electronic device typicallyincludes primary storage and sometimes secondary storage for storingdata and instructions. The storage devices can include such technologiessuch as a floppy drive, hard drive, tape drive, optical drive, read-onlymemory (ROM), random access memory (RAM), and the like. Applicationssuch as browsers, JAVA virtual machines (JAVA is a trademark and/orregistered trademark of Sun Microsystems, Inc. of Mountain View Calif.,in the United States and other countries), and other utilities andapplications can be resident on one or more storage devices. Theelectronic device often includes a network interface for communicatingwith one or more electronic devices external to the electronic device. Amodem is one form of establishing a connection with an externalelectronic device or network. The CPU has attached thereto, eitherinternally or externally, one or more of the aforementioned components.

The web service consumer 110, using an electronic device, cancommunicate via the network 120 with the mainframe 122. The mainframe122, or equivalent electronic device, can include a web server 112connected with a policy server 114 and a plurality of web services, suchas a first web service 116 and a second web service 118. The web serviceconsumer 110 and the mainframe 122 all become part of the network 120when they communicate with one another. The electronic devices thatcommunicate via the network 120 run operating systems, such as aWindows® series operating system offered by Microsoft Corporation, orUnix® operating system offered by Unix System Laboratories, Inc., andthe like.

The network 120 may include other hardware and software components aswell. For example, firewalls (not shown) may be configured to preventunauthorized access to components of the network 120. The firewalls maybe implemented in hardware, in software, or as a combination of hardwareand software.

One of ordinary skill in the art will appreciate that FIG. 1 illustratesonly one example network configuration, for the sake of clarity.However, a number of different configurations are possible, asunderstood by one of ordinary skill in the art.

FIGS. 2A and 2B illustrate one example process for implementing theproxy authentication service. A client in the form of a Web serviceconsumer 10 first sends a request to a Web server 12 to access a firstWeb service 18 (step 30). An XML agent 14 intercepts the request andgathers the authentication credentials of the user associated with theWeb service consumer 10 (step 31). As part of the request, a public keymust be made available to the XML Agent 14. If the Web service consumer10 is authenticated and authorized for access to the first Web service18, the XML Agent 14 instructs the creation of a session and sessionticket within a Policy Server 16 (step 32). The determination of whetherthe Web service consumer 10 is authenticated and authorized cab resultfrom, for example, a comparison of the credentials provided by theconsumer 10 against a database containing records of consumers that areallowed to gain access to the Web server 12. If either authentication orauthorization fails, the Web service consumer 10 is denied access to therequested Web service.

Returning to the case of valid authentication and authorization, the IDfor the session ticket is passed back to the XML Agent 14 (step 34).This authentication process is carried out using an authenticationscheme other than the SAML session ticket scheme (e.g., X.509 digitalcertificates). The XML Agent 14 encrypts the concatenation of thesession ticket ID and the public key of the user with a private key(step 36). The XML Agent 14 then places the encrypted concatenationinside a SAML assertion, places the assertion into an HTTP or SOAPenvelope header, and sends the SAML assertion to the first Web service18 (step 38). The first Web service 18 then returns the assertion to theWeb service consumer 10 in an XML document (step 40).

For subsequent requests, the following method can be followed, asillustrated in FIGS. 2A and 2C. The Web service consumer 10 places theSAML assertion that it received from the first Web service 18 into a newXML document, signs the XML document with its private key, and requestsaccess to a second Web service 20 (step 42). The request is in the formof an XML document. The XML Agent 14 intercepts the request andvalidates the SAML assertion by ensuring the XML document was signedwith the private key that matches the public key (step 44). If the SAMLassertion is valid, the XML Agent 14 uses the session ticket ID with theSAML assertion to determine if the user is authenticated to access thesecond Web service 20 (step 46). If the user is authenticated, the Webserver 12 grants access to the Web service consumer 10 without the Webservice consumer 10 having to re-authenticate because of information inthe assertion (step 48). This results in single sign-on functionality.If either the SAML assertion or the user authentication are invalid, theuser is denied access.

In accordance with another example embodiment of the present invention,a chain Web service model is provided. A chain Web service model is anenvironment in which the first Web service in the chain is responsiblefor authenticating clients and generating assertions. The Web servicebinds each assertion to the requesting XML document and passes thedocument to downstream Web services for processing by otherapplications.

In the chain model, the client request must be an XML document. However,there is no requirement for the client to supply a public key. The XMLAgent dynamically generates a public key and private key pair, and thencreates the SAML assertion. The SAML assertion contains a session ticketand the public key corresponding to the generated private key. The XMLAgent then signs the XML document with its private key, which binds theXML document to the SAML assertion.

After the SAML assertion and the XML document are issued, an applicationpasses the XML document to the next Web service in the chain. When adownstream Web service receives the XML document, the SAML sessionticket authentication scheme verifies the XML document's signature andvalidates the originator of the document based on the session ticket inthe SAML assertion. The application receiving the XML document can thenprocess the XML document and send the XML document to other Web servicesprotected by the SAML authentication scheme.

FIGS. 3A and 3B illustrate the chain Web service example embodiment inaccordance with teachings of the present invention. A client in the formof a Web service consumer 50 sends a request to a Web server 52 to gainaccess to a first Web service 58 (step 70). An XML Agent 54 interceptsthe request and gathers the authentication credentials of a userassociated with the request (step 72). The XML Agent 54 determineswhether the Web service consumer 50 is authenticated and authorized foraccess to the first Web service 58, and if the Web service consumer 50is authenticated and authorized for access to the first Web service 58,then a session and session ticket are created (step 74) within a PolicyServer 56. The determination of whether the Web service consumer 50 isauthenticated and authorized can result from, for example, a comparisonof the credentials provided by the consumer 50 against a databasecontaining records of consumers that are allowed to gain access to theWeb server 52. If the user cannot be authenticated or is not authorized,access is denied. The ID for the session ticket is passed back to theXML Agent 54 (step 76). The XML Agent 54 encrypts the concatenation ofthe session ticket ID and the public key with a matching private key(step 78). The concatenated encryption is then placed inside a SAMLassertion, which the XML Agent 54 sends to the first Web service 58(step 80).

Sometimes, during processing, a Web service requires direct access toanother Web service. FIGS. 3A and 3C illustrate an example embodimentfor providing such access. During processing, the first Web service 58places the SAML assertion that it received from the XML Agent 54 into anew XML document, signs the document, and sends a request to the Webserver 52 for access to a second Web service 60 (step 82). The XML Agent54 intercepts the request and validates the SAML assertion by ensuringthat the XML document was signed with the private key that matches thepublic key (step 84). If the SAML assertion is valid, the XML Agent 54utilizes the session ticket ID with the SAML assertion to determine ifthe user associated with the request is authenticated to access thesecond Web service 60 (step 86). If the user is authenticated, the Webserver 52 grants access to the Web service consumer 50 without the Webservice consumer 50 having to re-authenticate because of information inthe assertion (step 88). This results in single sign-on functionality.If either the assertion or the authentication is invalid, access isdenied.

In addition to the above embodiments, the teachings of the presentinvention further extend to provide a third party with a mechanism forauthenticating a document. The Web service consumer 10 or 50 firstcompletes an authentication with establishment of a valid assertion witha public and private key pair as described above or with equivalentmethods as understood by one of ordinary skill in the art. The Webservice consumer 10 or 50 can then forward a document to a third party,the document containing the assertion. The third party can then validatethe authenticity of the document from the Web service consumer 10 or 50by checking with the system supporting the authentication scheme. If thesystem verifies the signature and assertion, the third party is assuredof the origin of the document. The third party may then use the documentbased on the terms and conditions associated with issuing site'sagreement with the third party regarding such authenticationverifications. An example embodiment of the described authenticationservice can include the third party signed document being a credit card.The verification from the issuing site equates to the authorization amerchant receives when validating a credit card for a specific purchase.This described process and illustrative embodiment, in addition to otherequivalent embodiments and combinations of authentication steps andparties requiring verification, are intended to fall within the scope ofthe teachings of the present invention.

In conventional networks, there is no functional element for propagationof a user's authentication and/or session information between differentrequests to different Web services. The user must be authenticated eachtime they access a Web service. The teachings of the present inventionfacilitate, using SAML session tickets, the authentication of the user asingle time, permitting subsequent access to multiple different Webservices in a domain without re-authentication/re-authorization. Thesystem and method of the authentication scheme of the present inventiongenerate a SAML assertion that binds to a session ticket with the user'spublic key through encryption. This assertion can then be utilized forauthentication in subsequent requests to Web services in the samedomain. If a request is a signed document with an assertion, the PolicyServer can ensure that the message is from the entity holding theprivate key that matches the public key in the assertion. After theinitial authentication, the public key in the assertion secures thetransaction with the subsequent Web service. Even if an unauthorizedparty obtains the assertion, they still cannot breach security becausethey do not have the requisite private key. Further, for authenticationservice environments, the public key eliminates the need for all Webservice connections to be at the secure sockets layer (SSL). Only theconnection to the Web server issuing the assertion needs to be an SSLconnection. However, SSL still has value for encryption purposes. Theauthenticated consumer can then include the assertion in later documentssent to third parties with access to the authentication service thatcreated the assertion with public and private key combinations. Thethird parties can then authenticate the source of the document with thehelp of the authentication service.

Numerous modifications and alternative embodiments of the presentinvention will be apparent to those skilled in the art in view of theforegoing description. Accordingly, this description is to be construedas illustrative only and is for the purpose of teaching those skilled inthe art the best mode for carrying out the present invention. Details ofthe structure and method may vary substantially without departing fromthe spirit of the invention, and exclusive use of all modifications thatcome within the scope of the disclosed invention is reserved.

1. In a network including at least one electronic device, a method ofauthentication of a web service customer, comprising: a web serverreceiving a request for access to a first web service; intercepting therequest with an agent and collecting authentication credentials;determining whether the web service customer is authenticated andauthorized; if the web service customer is authenticated and authorized,creating a session and session ticket; returning an ID and the sessionticket to the web server; encrypting the session ticket ID and a publickey into an assertion; sending the assertion to the first web service;and returning the assertion to the web service customer.
 2. The methodof claim 1, further comprising: the web service customer inserting theassertion, and a signature into a document; receiving a request foraccess to a second web service; intercepting the request with the agentand collecting authentication credentials; determining whether theassertion is valid; if the assertion is valid, determining whether theweb service customer is authenticated; and if the web service customeris authenticated, granting the web service customer access to the secondweb service.
 3. The method of claim 1, wherein the request comprises aSAML assertion.
 4. The method of claim 1, wherein receiving a requestcomprises the web server receiving a public key and a request for accessto a web service.
 5. The method of claim 1, wherein intercepting therequest comprises an XML agent intercepting the request and gatheringauthentication credentials.
 6. The method of claim 1, whereindetermining whether the web service customer is authenticated andauthorized comprises comparing the web service customer with a databasecontaining authentication and authorization data.
 7. In a networkincluding at least one electronic device, a method of authentication ofa web service customer, comprising: the web service customer insertingan assertion and a signature into a document; a web server receiving arequest for access to a web service; intercepting the request with anagent and collecting authentication credentials; determining whether theassertion is valid; if the assertion is valid, determining whether theweb service customer is authenticated; and if the web service customeris authenticated, granting the web service customer access to the webservice.
 8. The method of claim 7, wherein the request comprises a SAMLassertion.
 9. In a network including at least one electronic device, amethod of authentication of a web service customer, comprising: the webservice customer sending a request for access to a first web service; aweb server receiving an encrypted assertion and public key forincorporation into future requests; and the web service customer beinggranted access to the first web service.
 10. The method of claim 9,further comprising: inserting the encrypted assertion and public key,and a signature, into a document; requesting access to a second webservice; and being granted access to the second web service.
 11. Themethod of claim 9, wherein the request comprises a SAML assertion. 12.In a network including at least one electronic device, a method ofauthentication of a web service customer, comprising: a web serverreceiving a request for access to a first web service; intercepting therequest and gathering authentication credentials; determining whetherthe web service customer is authenticated and authorized; if the webservice customer is authenticated and authorized, creating a session andsession ticket; returning an ID and the session ticket to the webserver; encrypting the session ticket ID, a public key, and a privatekey into an assertion; and sending the assertion to the first webservice.
 13. The method of claim 12, further comprising: receiving arequest from the first web service for access to a second web service;intercepting the request with the agent and collecting authenticationcredentials; determining whether the assertion is valid; if theassertion is valid, determining whether the web service customer isauthenticated; and if the web service customer is authenticated,granting the first web service access to the second web service.
 14. Themethod of claim 12, wherein the request comprises a SAML assertion. 15.The method of claim 12, wherein receiving a request comprises receivingan XML document without a public key.
 16. The method of claim 12,wherein intercepting the request comprises an XML agent intercepting therequest and gathering authentication credentials.
 17. The method ofclaim 12, wherein determining whether the web service customer isauthenticated and authorized comprises comparing the web servicecustomer with a database containing authentication and authorizationdata.
 18. In a network including at least one electronic device, amethod of authentication of a source of a document, comprising: a thirdparty receiving a document from a previously authenticated first source;the third party forwarding the document to a predeterminedauthentication system responsible for previously authenticating thefirst source to authenticate the source; and the third party receivingan indication of validation as to whether the document originated withthe first source.
 19. The method of claim 18, wherein the requestcomprises a SAML assertion.
 20. The method of claim 18, whereinreceiving a document comprises a web server receiving a public key and arequest for access to a web service.
 21. The method of claim 18, whereinreceiving a document comprises receiving an XML document without apublic key.
 22. The method of claim 18, wherein the predeterminedauthentication system comprises an XML agent intercepting the requestand gathering authentication credentials.
 23. The method of claim 22,wherein determining whether the document originated with the firstsource comprises comparing the first source with a database containingauthentication and authorization data.